Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Restrict WordPress Admin Access by IP Address

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to restrict access to your WordPress admin area for security reasons?

If you have a small team, then one good solution is to restrict access to only those IP addresses used by team members.

In this article, we will show you how to restrict WordPress admin access by IP address, step by step.

How to Restrict WordPress Admin Access by IP Address

Why Restrict WordPress Admin Access by IP Address?

If you are running a WordPress website, then you need to take your website’s security seriously. While WordPress core software is very secure, there’s more that you can do to protect yourself from hackers and brute force attacks.

Hackers can take down your website, as well as damaging your revenue and reputation. They can steal data or even distribute malware to your website visitors and get your domain blacklisted by Google and others.

One smart way to block hackers and improve WordPress security is by protecting your WordPress admin area from unauthorized access.

If only you or a few trusted users need access to the admin area, then a good way to do that is to limit access to wp-admin and the WordPress login page to your team’s IP addresses.

Each team member will connect to your WordPress site using a specific IP address for each location. If you block access to all other IP addresses, then a hacker won’t be able to gain access to your website even if they have discovered your username and password.

Instead, they will see the error message: ‘Forbidden. You don’t have permission to access this resource.’

Let’s take a look at how to restrict WordPress admin access by IP address.

How to Restrict WordPress Admin Access by IP Address

The first thing you need to do is make a list of the IP addresses used by everyone you need to log in to your WordPress website. If someone works from several locations, then you will need to collect the IP address for each one.

They can learn their IP address by visiting a site like SupportAlly.

Once you have made your list, then you will need to edit a file on your website. You’ll have to use an FTP client or your hosting provider’s file manager app. If you haven’t used FTP before, then you may want to see our guide on how to use FTP to upload files to WordPress.

You will need to use the software to navigate to your website’s /wp-admin/ folder. Once there, you should look for the .htaccess file. This is a hidden file, so if you can’t see it, then you may need to enable the show hidden files option in your software.

Navigate to wp-admin and Locate .htaccess

If that file doesn’t exist in the folder, then you should create a new file and save it with the name .htaccess in your /wp-admin/ folder.

Warning: Do not edit your root .htaccess file, or you will lock visitors out of your website’s front end! Make sure you are editing /wp-admin/.htaccess.

You should first download a copy of the file to your computer as a backup. Once you’ve done that, you will need to edit .htaccess and paste the following code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

Go ahead and edit the file to match the names of your own team members, and then paste in the IP addresses you collected earlier to replace where it says xx.xx.xx.xxx.

Once you save the file, only those IP addresses will be able to access WordPress admin.

Remember that if your IP address changes or you try to access your website from a new location, then you will be locked out of your WordPress admin area. You will need to add your new IP address to the /wp-admin/.htaccess file.

We hope this tutorial helped you learn how to restrict WordPress admin access by IP address. You may also want to see our WordPress tutorial on how to get a free SSL certificate for your website or check out our list of the must-have plugins to grow your site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

43 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

    • WPBeginner Support says

      You would need to have your FTP or file manager show hidden files if you do not see it.

      Admin

    • WPBeginner Support says

      There are multiple methods to find your IP, one of the simple ones would be to use a site like supportally.com

      Admin

  2. Chris says

    You have to enable
    module authz_groupfile
    “sudo a2enmod authz_groupfile”
    and restart apache

  3. Rajat Shankhdhar says

    Not working for me. Code restricting admin to get access even I put the ip in a whitelist.

  4. Rostyslav says

    After this line, you must put a condition for permission to allow php files to prevent conflicts:

    allow from all

  5. Solace says

    I tried the .htaccess password protection method.

    It works, but I tried it on a site with Woocommerce, but then my customers weren’t able to log in.

    Just saying that because it seems no one has mentioned that it doesn’t work with sites that need customers to log in !

  6. Miguel says

    Hello, thank you for the tutorial. Unfortunately, I have not been able to make this .htaccess file to work correctly because it is denying access to the only IP address I included, my own… I am certain I copied your code exactly and I typed my IP correctly. The .htaccess file was saved under: /wp-admin/.htaccess

    Am I missing something? Thanks

  7. Emaan Ali says

    Hi Guys,

    I have blocked the wp-admin with .htaccess as mentioned in this article. But i am having one problem that my admin-ajax file is also being restricted on public site.

    My wordpress theme uses much of admin ajax functionality and that I have put the IP limitation access on wp-admin folder so its not accessible for all IP’s.

    Does anyone find the solution for this ? If so please share .

    Thanks in advance
    Emaan

  8. Len says

    Hi, This seems really a helpful one. Maybe you could help me. Instead of whitelisting an IP can we allow access for specific countries in .htaccess file? Hoping you can help me. Thank you very much.

  9. Scotty says

    Hi, This does work. I checked and am “forbidden” to login on any other computer. I can’t even see the login panel. However, I am still getting about 24 failed log in attempts per day from all different IP addresses. Any ideas how there getting around this? It’s some kind of brute force attack? Thanks, Scott.

  10. Sehrish says

    And how to allow access to only wordpress adminitrator ?What code i will write without any ip ? I just need to know a generic function that get admin related info.Becuse i have to restrict my plugin uploads from other user.And Whoever using this plugin i have to get its admin info to restrict contents from other and allow only to admin of website.

  11. Kim says

    I tried this (after previously successfully password protecting my wp-admin directory and fixing the redirect error per your other article), but then I get a pop-up asking for a user name and password for the “WordPress Admin Access Control”. What user name and password am I supposed to be using for this new pop-up? Neither the wordpress admin logon nor the wp-admin directory logon work for it.
    Thanks!

    • Kim says

      Oh, I believe I figured out the problem; seems to work as long as I make sure to have the added code at the very beginning.

  12. Jordyn says

    I have a big problem :(

    I did what you said about creating the .htaccess and putting in the code snippet. It didn’t work so I deleted the .htaccess file and now I can’t login to my dashboard! It’s just a white screen :( Please help!!!

    Thanks

      • Jordyn says

        All I did was create the file in my wp-admin folder and when it didn’t work I deleted it from the wp-admin folder. I’m not sure what happened but, after a crazy rabbit trail and many shots in the dark, I was able to correct the problem by adding to the top of my login.php file. I still don’t know what went wrong or why what I did fixed it…. but at least its fixed. I may try this again when I’m feeling brave.

  13. Raheem Khan says

    Hi WPB, I don’t think it will be working in Pakistan because every time we reset or turn of our DSL modem so the IP address automatically changes. if any other tip please reply me.
    Thanks

  14. andrew says

    hi, how to make .htaccess with dynamic ip (non static ip)
    my ip is always change xxx.xxx.xxx.12 xxx.xxx.xxx.453 xxx.xxx.xxx.076

    please help…

      • Joe says

        You can harden your wordpress install via .htaccess whitelisting even if you have a dynamic IP address. You can whitelist a range of IP addresses using a /24 or /16 range. While this allows more access than if you always knew the IP you wanted to allow, it still prohibits access from almost the entire internet.

        Just add /24 to the end of the allow from line to allow the whole class C subnet (256 IPs), or add /16 to allow the whole 65,536 range. i.e.

        allow from xxx.xxx.xxx.0/24

        will allow access to IP addresses from xxx.xxx.xxx.0 – xxx.xxx.xxx.255. and

        allow from xxx.xxx.0.0/16

        will allow access from IP addresses from xxx.xxx.0.0 – xxx.xxx.255.255

  15. Kyle says

    You say not to do the root site’s .htaccess file…why is that? Because you just want to limit access to the /wp-admin folder?

    So…if I wanted to have a WordPress site hosted externally but used as an internal company resource so that only people using IPs of our company could access it…if I edited the root folder’s .htaccess folder to only allow IPs from our domain…that would work the same way your /wp-admin fix is, but for the entire site, correct?

    • Editorial Staff says

      Yes Kyle, the reason why we said do not put this code in the root file because then it will limit your site access to only these IP as well. But if you are trying to make a site just for your company’s staff can access it only from work, then you would want to put the .htaccess file in the root folder.

      Admin

    • Alim Bolar says

      Can I limit access based on other criterias? Like I need only my laptop to access a particular folder.. I could access it from anywhere so it would be difficult to specify an IP as my internet access would be based on DHCP. Is there a unique identifier for every machine or something like that that can be used as a criteria?

Leave a Reply to Mukund Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WPBeginner Assistant
How can I help you?

By chatting, you consent to this chat being stored according to our privacy policy and your email will be added to receive weekly WordPress tutorials from WPBeginner.